Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to log but not enforce connection filtering, reset proposal stats through Admin server API #112

Merged
merged 2 commits into from
Jun 14, 2023
Merged

Add option to log but not enforce connection filtering, reset proposal stats through Admin server API #112

merged 2 commits into from
Jun 14, 2023

Conversation

abhilash1in
Copy link
Collaborator

@abhilash1in abhilash1in commented May 12, 2023
edited
Loading

Description

  1. Add option to log but not enforce connection filtering.
    • When ZK server is in dedicated mode and X509ZNodeGroupAclProvider.enforceDedicatedDomain is false and a client with ID not part of the corresponding dedicated domain tries to connect, ZK server logs a warning but allows the connection to be established. When X509ZNodeGroupAclProvider.enforceDedicatedDomain is true, ZK server disconnects the connection (current and default behavior).
  2. Reset proposal stats through Admin server API (in line with stat reset 4lw command)
  3. [Update: These changes were removed from this PR and will be incorporated in a different PR ] Removes misconfigured attempts to parse zookeeper.X509ZNodeGroupAclProvider related properties from zoo.cfg.
    • Let's take an example zoo.cfg line, X509ZNodeGroupAclProvider.setX509ClientIdAsAcl=true
    • This will not be captured by 
      if (key.equals(X509AuthenticationConfig.SET_X509_CLIENT_ID_AS_ACL)) {
         X509AuthenticationConfig.getInstance().setX509ClientIdAsAclEnabled(value);
}
    • This is because X509AuthenticationConfig.SET_X509_CLIENT_ID_AS_ACL is equal to zookeeper.X509ZNodeGroupAclProvider.setX509ClientIdAsAcl, but key is X509ZNodeGroupAclProvider.setX509ClientIdAsAcl (without zookeeper.).
    • The zoo.cfg parsing of X509ZNodeGroupAclProvider and usage of associated setters (like in the above if block) was never being used so far.
    • Instead, we were relying on the default else block below to set X509ZNodeGroupAclProvider.setX509ClientIdAsAcl from zoo.cfg as zookeeper.X509ZNodeGroupAclProvider.setX509ClientIdAsAcl System property, which is then read by associated getters. 
       else {
     System.setProperty("zookeeper." + key, value);
 }

Tests

mvn test -e -Dtest=X509ZNodeGroupAclProviderTest#testConnectionFiltering -DfailIfNoTests=false

Dedicated domain = DomainX

  1. Authorized domain is allowed to connect
2023-05-12 16:40:16,314 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@76] - Client URI domain mapping root path: /zookeeper/uri-domain-map
2023-05-12 16:40:16,317 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: DomainYUser --> DomainY
2023-05-12 16:40:16,317 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: CrossDomainUser --> CrossDomain
2023-05-12 16:40:16,318 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: DomainXUser --> DomainX
2023-05-12 16:40:16,318 [myid:] - INFO  [main:X509ZNodeGroupAclProvider@194] - New UriDomainMappingHelper has been instantiated.
2023-05-12 16:40:16,322 [myid:] - WARN  [main:X509AuthenticationUtil@74] - Key store location not specified for SSL
2023-05-12 16:40:16,322 [myid:] - WARN  [main:X509AuthenticationUtil@106] - Truststore location not specified for SSL
2023-05-12 16:40:16,322 [myid:] - INFO  [main:X509AuthenticationConfig@245] - zookeeper.X509ZNodeGroupAclProvider.dedicatedDomain = DomainX
2023-05-12 16:40:16,322 [myid:] - INFO  [main:X509ZNodeGroupAclProvider@237] - Id 'DomainXUser' belongs to domain that matches server namespace 'DomainX', authorized for access.
2023-05-12 16:40:16,323 [myid:] - INFO  [main:X509ZNodeGroupAclProvider@277] - Authenticated Id 'scheme: x509, id: DomainXUser' has been added to session 0x0 from host .
  1. Unauthorized domain is not allowed to connect (connection filtering is enforced)
2023-05-12 16:40:16,323 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@76] - Client URI domain mapping root path: /zookeeper/uri-domain-map
2023-05-12 16:40:16,324 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: DomainYUser --> DomainY
2023-05-12 16:40:16,324 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: CrossDomainUser --> CrossDomain
2023-05-12 16:40:16,324 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: DomainXUser --> DomainX
2023-05-12 16:40:16,324 [myid:] - INFO  [main:X509ZNodeGroupAclProvider@194] - New UriDomainMappingHelper has been instantiated.
2023-05-12 16:40:16,324 [myid:] - INFO  [main:X509AuthenticationConfig@245] - zookeeper.X509ZNodeGroupAclProvider.dedicatedDomain = DomainY
2023-05-12 16:40:16,324 [myid:] - INFO  [main:X509AuthenticationConfig@250] - zookeeper.X509ZNodeGroupAclProvider.enforceDedicatedDomain = true
2023-05-12 16:40:16,325 [myid:] - ERROR [main:X509ZNodeGroupAclProvider@243] - Id 'DomainXUser' does not belong to domain that matches server namespace 'DomainY', disconnecting the connection.
  1. Unauthorized domain is allowed to connect with a warning log (connection filterning not enforced)
2023-05-12 16:40:16,325 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@76] - Client URI domain mapping root path: /zookeeper/uri-domain-map
2023-05-12 16:40:16,325 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: DomainYUser --> DomainY
2023-05-12 16:40:16,325 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: CrossDomainUser --> CrossDomain
2023-05-12 16:40:16,325 [myid:] - INFO  [main:ZkClientUriDomainMappingHelper@135] - Registering client URI domain mapping: DomainXUser --> DomainX
2023-05-12 16:40:16,325 [myid:] - INFO  [main:X509ZNodeGroupAclProvider@194] - New UriDomainMappingHelper has been instantiated.
2023-05-12 16:40:16,326 [myid:] - INFO  [main:X509AuthenticationConfig@245] - zookeeper.X509ZNodeGroupAclProvider.dedicatedDomain = DomainY
2023-05-12 16:40:16,326 [myid:] - INFO  [main:X509AuthenticationConfig@250] - zookeeper.X509ZNodeGroupAclProvider.enforceDedicatedDomain = false
2023-05-12 16:40:16,326 [myid:] - WARN  [main:X509ZNodeGroupAclProvider@247] - Id 'DomainXUser' does not belong to domain that matches server namespace 'DomainY'. Allowing connection for now, but client connection will be blocked/disconnected in future when dedicated domain connection filtering is enforced.

@abhilash1in abhilash1in marked this pull request as draft May 12, 2023 19:38
@abhilash1in abhilash1in requested review from rahulrane50 and mgao0 May 12, 2023 21:53
@abhilash1in abhilash1in marked this pull request as ready for review May 12, 2023 21:53
@abhilash1in abhilash1in changed the title Add option to log but not enforce connection filtering Add option to log but not enforce connection filtering, reset proposal stats through Admin server API May 12, 2023
desaikomal
desaikomal reviewed May 12, 2023
View reviewed changes
Copy link
Collaborator

@desaikomal desaikomal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you can answer the test case related, thing, that will help to approve the change.

desaikomal
desaikomal approved these changes May 15, 2023
View reviewed changes
Copy link
Collaborator

@desaikomal desaikomal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for working on this.

desaikomal
desaikomal approved these changes May 15, 2023
View reviewed changes
Copy link
Collaborator

@desaikomal desaikomal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for working on this.

rahulrane50
rahulrane50 reviewed May 16, 2023
View reviewed changes
Copy link
Collaborator

@rahulrane50 rahulrane50 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM thanks for making this change.

zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/QuorumPeerConfig.java
@@ -377,28 +376,6 @@ public void parseProperties(Properties zkProp) throws IOException, ConfigExcepti
backupConfigBuilder.setTimetableStoragePath(value);
} else if (key.equals(BackupSystemProperty.BACKUP_TIMETABLE_BACKUP_INTERVAL_MS)) {
backupConfigBuilder.setTimetableBackupIntervalInMs(Long.parseLong(value));
} else if (key.equals(X509AuthenticationConfig.SET_X509_CLIENT_ID_AS_ACL)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is not correct then essentially we are doing lazy binding of these variables. Other way to fix this is fix these if blocks. I would suggest separate out this change into separate PR and test it independently and make sure "all" these fields are lazily bound in their getter methods.

abhilash1in and others added 2 commits June 13, 2023 22:49
@abhilash1in
Add option to log but not enforce connection filtering
0190ac1
@eolivelli @abhilash1in
ZOOKEEPER-4641: GH CI fails with error: implicit declaration of funct…
c514ff9 
…ion FIPS_mode

Modifications:
- remove the block, as it is used only for debug

More details here:
https://issues.apache.org/jira/browse/ZOOKEEPER-4641

Author: Enrico Olivelli <[email protected]>

Reviewers: Andor Molnar <[email protected]>, Chris Nauroth <[email protected]>, Mate Szalay-Beko <[email protected]>

Closes apache#1951 from eolivelli/fix/ZOOKEEPER-4641
@abhilash1in abhilash1in merged commit 3d5174c into linkedin:li-dev/base-3.6.3-znode-group-security Jun 14, 2023
@abhilash1in abhilash1in deleted the li-dev/base-3.6.3-znode-group-security branch June 14, 2023 05:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rahulrane50 rahulrane50 rahulrane50 left review comments

@desaikomal desaikomal desaikomal approved these changes

@mgao0 mgao0 Awaiting requested review from mgao0

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@abhilash1in @rahulrane50 @desaikomal @eolivelli